You are on page 1of 8

Nodes Bearing Grudges: Towards Routing Security, Fairness, and Robustness in Mobile Ad Hoc Networks

Sonja Buchegger IBM Zurich Research Laboratory S¨ umerstrasse 4, CH-8803 R¨ schlikon a u Jean-Yves Le Boudec EPFL-DSC CH-1015 Lausanne, Switzerland

Devices in mobile ad hoc networks work as network nodes and relay packets originated by other nodes. Mobile ad hoc networks can work properly only if the participating nodes cooperate in routing and forwarding. For individual nodes it might be advantageous not to cooperate, though. The new routing protocol extensions presented in this paper make it possible to detect and isolate misbehaving nodes, thus making it unattractive to deny cooperation. In the presented scheme, trust relationships and routing decisions are made based on experienced, observed, or reported routing and forwarding behavior of other nodes. A hybrid scheme of selective altruism and utilitarianism is presented to strengthen mobile ad hoc network protocols in their resistance to security attacks, while aiming at keeping network throughput, or goodput, high. This paper focuses particularly on the network layer, using the Dynamic Source Routing (DSR) protocol as an example.

furthermore, the Terminodes network is not limited to an organization who could enforce cooperation. Therefore, there is a need for incentives to cooperate in order to encourage the nodes to forward packets, although doing so consumes their resources. The issues discussed in this paper are relevant for both Terminodes and MANET-style mobile ad hoc networks. One of the protocols presented and discussed in the MANET working group of the IETF is the Dynamic Source Routing (DSR) protocol [9]. It is briefly presented in Section 5 and serves as an example of security vulnerabilities and what can be done to eliminate them. An extension to DSR is proposed for this purpose.

1.1. Special Security Issues for Mobile Ad Hoc Networks
In addition to authentication, integrity, confidentiality, availability, access control and non-repudiation (see [16] for details), which have to be addressed differently in a mobile, wireless, battery-powered and distributed environment, mobile ad hoc networks raise the following security issues: Cooperation and fairness: There is a trade-off between good citizenship, i.e. cooperation, and resource consumption, so nodes have to economize on their resources. At the same time, however, if they do not forward messages, others might not forward either, thereby denying them service. Total non-cooperation with other nodes and only exploiting their readiness to cooperate is one of several boycotting behavior patterns. Therefore, there has to be an incentive for a node to forward messages that are not destined to itself. Attacks include incentive mechanism exploitation by message interception, copying, or forging; incorrect forwarding; and bogus routing advertisement.

1. Introduction
Mobile ad hoc networks do not rely on any fixed infrastructure but communicate in a self-organized way. Their properties lead to new vulnerabilities to attacks unknown in infrastructure-based or wired networks. In this paper we address these requirements for more fairness and robustness of mobile ad hoc networks. An example of a mobile ad hoc network is being developed within the Terminodes 1 project [8] which is about large mobile ad hoc networks. It is different from other mobile ad hoc networks as proposed in the MANET (mobile ad hoc networks) working group of the IETF [11] in that the network is a wide-area, self-organized network. The wide area aspect raises scalability issues and,

Proceedings of the 10th Euromicro Workshop on Parallel, Distributed and Network-based Processing (EUROMICRO-PDP’02) 1066-6192/02 $17.00 © 2002 IEEE

the malicious nodes are rewarded and reinforced in their behavior. If. very well be by means of isolation. whereas their messages are forwarded without complaint.3. By diverting the traffic in the following ways. Related Work Anderson and Stajano [1] authenticate users by ‘imprinting’ according to the analogy of ducklings acknowledging the first moving subject they see as their mother. Without proper security. nodes can attract traffic to themselves or their colluding nodes by means of false routing advertisements. outlined as a protocol in Section 4 and applied to DSR in Section 5. Thwarting Attacks: Objectives We would like to achieve the following effect with our protocol: malicious behavior and non-cooperation should be punished and should not pay off. routing information can be equally or even more important than the message content itself [6]. detection and reaction: According to Schneier [14]. Haas employs threshold security. Garcia-Luna-Aceves et al. The detection has to lead to a reaction of other nodes such that it results in a disadvantage for the malicious node. some sort of ‘re-socialization’ and re-integration into the network communications should be possible. someone will find out how to get around them.2. which enable nodes to avoid malicious nodes in their routes. saving power by selfish behavior. This punishment can Proceedings of the 10th Euromicro Workshop on Parallel. Denial-of-service attacks can be achieved by bogus routing information (injecting of incorrect routing information or replay of old routing information or ‘black hole routes’ ) or by distorting routing information to partition the network or to load the network excessively. In contrast. allowing for several corrupted nodes or collusions [7]. nodes can work against that requirement: Routing: To get information necessary for successful malicious behavior. For the Terminodes project. thus causing retransmissions. to ensure forwarding. followed by a novel approach to increase fairness. Distributed and Network-based Processing (EUROMICRO-PDP’02) 1066-6192/02 $17. a node was wrongly accused of being malicious or turns out to be a repenting criminal equivalent who is no longer malicious and has behaved normally for a certain amount of time.Confidentiality of location: In some scenarios. or may decide not to forward messages at all. but not positive isolation in being isolated from the society’s duties but above all the society’s rights. Although only suitable for devices that have enough power. but enabling the devices to be imprinted several times. 1. disclosure.00 © 2002 IEEE . but rather relieves them of the burden of forwarding for others. Section 3 provides a rationale why cooperation can pay off. Their approach does not punish malicious nodes that do not cooperate. Motivation for Attacks The lack of infrastructure and organizational environment of mobile ad hoc networks offer special opportunities to attackers.4. [12] observed increased throughput in mobile ad hoc networks by complementing DSR with a watchdog (for detection of malicious behavior) and a ‘pathrater’ (for trust management and routing policy. Marti et al. and so on. every used path is rated). monetary benefits by exploiting incentive measures or trading confidential information. No traffic diversion: Routes should be advertised and set up adhering to the chosen routing protocol and should truthfully reflect the knowledge of the topology of the network. for instance in a military application. a prevention-only strategy only works if the prevention mechanisms are perfect. Detection of this kind of behavior is key but not the only point. Forwarding: Nodes can decide to forward messages to partners in collusion for analysis. 2. The rest of this paper consists of an outline of future work in Section 6 and the concluding Section 7. not be forwarded by the normally behaving nodes. preventing someone else from getting proper service. a lot of information can be gathered this way by malicious nodes for later use to enable more sophisticated attacks. extracting data to get confidential information. however. 1. otherwise. incentives to cooperate by means of so-called nuglets [4] that serve as a per-hop payment in every packet have been suggested by Buttyan et al. The scheme suggested here in the following sections addresses additional issues in the network layer such as traffic diversion. or monetary benefits. Most of the attacks and vulnerabilities have been the result of bypassing prevention mechanisms. upon detection of the node being malicious. 1. it is possible to gain various advantages by malicious behavior: better service than cooperating nodes. thus boycotting communications. Organization of the Paper The remainder of this paper is organized as follows: Related work is discussed in Section 2. [15] looked at security of distance vector protocols in general. Packets of malicious nodes should. Given this reality. detection and response are essential. This way. robustness and cooperation which is motivated in Section 3. Prevention.

Defining suitable cost and profit to routing and forwarding favors and keeping a history of experiences with noncooperating nodes achieves the same as the grudger species. assuming a cost for grooming another bird’s head and a profit of having one’s head groomed. From Birds to Network Nodes The 3. By keeping a copy of a packet Proceedings of the 10th Euromicro Workshop on Parallel.) suggested here is the equivalent of a ‘neighborhood watch’. to speed up the winning of grudger nodes: o learn from observed behavior: employ ‘neighborhood watch’ to be warned by watching what happens to other nodes in the neighborhood. which they cannot clean themselves. the grudgers win over time. but bears a grudge against those birds that do not return the favor and subsequently no longer grooms their head. i. the nodes most likely to detect non-compliant ‘criminal’ behavior are the nodes in the vicinity of the criminal and in some cases the source and the destination. o learn from reported behavior: share information of experienced malicious behavior with friends and learn from them.00 © 2002 IEEE . so the number of suckers decreases. a loss leading to extinction and profit leading to multiplication of the species. Dawkins divides birds into two types: ‘suckers’ which always help and ‘cheats’ which have other birds groom parasites off their head but fail to return the favor. nodes forward for each other. The metric for success is the resulting goodput.e. and keeping a history of all bad experiences with other nodes equals large storage requirements and long lists to go through.1 The Monitor (Neighborhood Watch) In a networking environment. Winning is defined as having the greatest benefit.We would like to achieve the contrary. the Reputation System. According to Dawkins. Components in Each Node The protocol containing the improvements to the grudger’s scheme consists of the following components as shown in Figure 1: The Monitor. After a while. etc. which are incorporated in a protocol explained in the next section.2. Over all. 4. Once the suckers are extinct. namely to make only good behavior pay off in terms of service and reasonable power consumption. The neighbors of the neighborhood watch can detect deviances by the next node on the source route by either listening to the transmission of the next node or by observing route protocol behavior. 4. we suggest the following ideas.2. The latter is not always the case. but both are driven to extinction over time. The grudgers also suffer from some loss. the ‘grudger’ which starts out being helpful to every bird. reciprocal altruism is beneficial for every biological system when favors are granted simultaneously. in mobile ad hoc networks. Distributed and Network-based Processing (EUROMICRO-PDP’02) 1066-6192/02 $17. misuse of cooperation incentives. because they don’t help a cheat twice and cheats are also not helped by other cheats. but less than the suckers. Bearing Grudges: The Selfish Gene As explained in Richard Dawkins’ ‘The Selfish Gene’ [5]. One approach to protocol enforcement and detection of damaging behavior (intrusion. because the probability of a first-help by a grudger increases with a higher population of grudgers. The components are present in every node and they are described in detail subsequently: 4. it is disadvantageous for nodes to behave maliciously. In this system. driving the cheats out of business. simulation has shown that when starting with a majority population of cheats and marginal groups of both suckers and grudgers. for instance in the case of replay.1. and the Trust Manager. the Path Manager. so there is an intrinsic motivation for cooperation due to instant gratification. denial of service. whereas the other species become extinct. while the number of cheats increases. which is the case when. if they detect unusual behavior or do not get proper responses. Application and Improvements: Grudger Protocol 4. An example of how this can work in biology is presented subsequently. The rationale is as follows: The suckers help more than they get favors due to the large number of cheats. The benefit of behaving well is not so obvious in the case of a delay between granting a favor and repayment. With the scheme we present in this paper. In a very large ad hoc network. the number of bits per unit of time forwarded to the correct destination. A biological example used in ‘The Selfish Gene’ [5] explains the survival chances (and thus gene selection) of birds grooming parasites off each other’s head. Dawkins then introduces a third kind of bird. where nodes locally look for deviating nodes. the population of the grudgers grows. minus any bits lost or retransmitted. before nodes have to make a bad experience themselves. the number of cheats decreases more slowly. the grudgers grow rapidly at the expense of the cheats. Therefore. clearly the cheats have an advantage over the suckers. convergence can be very slow.

For example. As soon as a given bad behavior occurs. the following types of misbehavior can be indicated: o no forwarding (of control messages nor data). trust management has to be distributed and adaptive [2]. [13]. local rating lists and/or black lists are maintained at each node and potentially exchanged with friends.e. o Trust table managing trust levels for nodes. whereas outgoing ALARMS are generated Proceedings of the 10th Euromicro Workshop on Parallel. o route salvaging (i. 4. A mechanism similar to the trust management in Pretty Good Privacy (PGP) for key validation and certification is used here for mobile ad hoc networks for trust management for routing and forwarding. In this paper we focussed on the detection of observable routing and forwarding misbehavior in DSR as listed in section 5. ‘none’. and how much they are trusted. Trust is important when making a decision about the following issues: o providing or accepting routing information. while listening to the transmission of the next node. ‘marginal’.2. In PGP [18]. The following functions are performed by the trust manager: o Trust function to calculate trust levels. It computes a weighted score of validity.2. e. o unusual traffic attraction (advertises many very good routes or advertises routes very fast. This component deals with incoming and outgoing ALARM messages. Trust architecture and finite state machine within each node. rerouting to avoid a broken link). o taking part in a route originated by some other node. several levels of trust can be expressed. They provide a means of obtaining a quality rating of participants of transactions by having both the buyer and the seller give each other feedback on how their activities were perceived and evaluated. o Trust table entries management for trust level administration. ‘unknown’. the reputation system is called. although no error has been observed. o unusually frequent route updates. any content change can also be detected. The weighting scheme is adjustable to require a different number of marginally trusted signatures to judge a key as valid. As a component within each node. although an error has been observed. Distributed and Network-based Processing (EUROMICRO-PDP’02) 1066-6192/02 $17.g. it examines the trust level of all the attached certifying signatures. nodes that are candidates to receive ALARM messages from a given node. o lack of error messages. The trust manager administers a table of friends. o silent route change (tampering with the message header of either control or data packets).2 The Trust Manager In an ad hoc environment. two marginally trusted signatures might be deemed credible as one completely trusted signature. The nodes can include black initial state threshold exceeded within tolerance Path Manager managing path rating tolerance exceeded Figure 1. When PGP is calculating the validity of a public key.Reputation System evaluating alarm Trust Manager updating ALARM table trusted evaluating trust enough evidence by the node itself after having experienced. 4.2. Incoming ALARMS originate from outside friends. so they are deemed good routes). For a detailed explanation of reputation systems see Resnick et al. In general. and ‘complete’. event detected significant event not significant updating event count not enough evidence ALARM received Monitor monitoring sending ALARM below threshold o Forwarding of ALARM messages.e. The trust manager consists of the following components: o Alarm table containing information about received alarms. the monitor registers these deviations of normal behavior. ALARM messages are sent by the trust manager of a node to warn others of malicious nodes.00 © 2002 IEEE . o Filtering of incoming ALARM messages according to the trust level of the reporting node. i. o accepting a node as part of a route. In order to avoid centralized rating. o Friends list containing all friends a node sends alarms to. observed or been reported malicious behavior.3 The Reputation System (Node Rating) Reputation systems are used in some online auctioning systems.

In a nutshell. the reputation system is built on negative experience rather than positive impressions. One way to achieve authentication is by using PGP along with distributed certification authorities. for different nodes can have different security requirements. Extension to DSR 5. If a suspicious event is detected. The DSR Protocol Dynamic Source Routing is a protocol developed for routing in mobile ad hoc networks and was proposed for MANET by Broch. the entry of the node that misbehaved is changed accordingly. the number of occurrences observed. event is significant for the node. The problem of how to distinguish alleged from proven malicious nodes and thus how to avoid false accusations can be lessened by timeout and subsequent recovery or revocation lists of nodes that have behaved well for a specified period of time. If that occurrence threshold is exceeded.4 The Path Manager The path manager performs the following functions: o Path re-ranking according to security metric. Information Flow Between Nodes In order to convey warning information.2. it works as follows: Nodes send out a ROUTE REQUEST message. Nodes can look up senders in the black list containing the nodes with bad rating before forwarding anything for them. The rating is then changed according to a rate function that assigns different weights to the type of behavior detection: o Own experience: greatest weight. Without authentication. Once the weight has been determined. the information is passed on to the path manager that proceeds to delete all routes containing the intolerable node from the path cache.g.3. 5. nodes can denounce each other at will and a trust management scheme is not feasible. The reputation system in this protocol manages a table consisting of entries for nodes and their rating. If the rating subsequently turns out to be intolerable.3. ignore.4. which also alarms nodes on the way. Johnson and Maltz at Carnegie Mellon University [9]. each node monitors the behavior of its next hop neighbors. it passes it on to the trust manager. also ignore. Another problem is scalability and how to avoid blown-up lists. the information is given to the reputation system. the reputation system updates the rating of the node that caused that event. the address of the reporting node. This message contains the type of protocol violation. The node continues to monitor the neighborhood and an ALARM message is sent as described in the next subsection.1. o Deletion of paths containing malicious nodes. If the Proceedings of the 10th Euromicro Workshop on Parallel. Enough evidence means that either the source of the ALARM is fully trusted or that several partially trusted nodes have reported the same and their respective assigned trust adds up to a value of one entirely trusted node or more. The questions of positive change and timeout are still to be addressed in detail. When the monitor component of a node receives such an ALARM message. o Reported experience: weight function according to PGP trust. If the source is at least partially trusted. whether the message was selforiginated by the sender. o Action on receiving a request for a route from a malicious node (e. it is checked whether the event has occurred more often than a predefined threshold high enough to distinguish deliberate malicious behavior from simple coincidences such as collisions. If there is enough evidence that the node reported in the ALARM is malicious. 4. o Action on receiving request for a route containing a malicious node in the source route (e. If the rating of a node in the table has deteriorated so much as to fall out of a tolerable range. the table containing the ALARMs is updated. all nodes that receive this message forward it to their neighbors and put 4. o Observations: smaller weight. the address of the observed node and the destination address (either the source of the route or the address of a friend that might be interested). do not send any reply) . Information Flow in Each Node As shown in Figure 1.g. where the source of the message is evaluated.sheep in the route request to be avoided for routing. 4. an ALARM message is sent by the trust manager component. Distributed and Network-based Processing (EUROMICRO-PDP’02) 1066-6192/02 $17. Bearing in mind that malicious behavior will hopefully be the exception and not the rule. alert the source). The rating is changed only when there is enough evidence for malicious behavior that is significant for a node and that has occurred a number of times exceeding a threshold to rule out coincidences.00 © 2002 IEEE . number of occurrences and accumulated reputation of the node as explained in Section 4. Authentication is a prerequisite for the protocol to work and assumed to exist here. as defined initially for the type of node. which can also be addressed by timeouts. the information is sent to the reputation system where it is again evaluated for significance. the path manager is called for action.

4) Choose a very short reply time. 10) Cause a denial-of-service attack caused by overload by sending route updates at short intervals. In case of a link failure. it can at least detect the lack of forwarding as in 1). access control or any combination thereof: 1) Incorrect forwarding: acknowledge ROUTE REQUEST. 3) Salvage a route that is not broken. but sends a REPLY message containing the full source route. 3) Salvaging: indicated by the reception of a salvaged packet without having received a link error message first.4. 7) Do not send error messages in order to prevent other nodes from looking for alternative routes. Depending on the type of device. normal DSR information flow (ROUTE REQUEST.the nodes are required to wait a time corresponding to the length of the route they can advertise before sending it in order to avoid a storm of replies). 8) Bogus routing: a strong indication would be when an intermediate node sees itself advertised on a route it does not have. After receiving one or several routes. Unusually increased frequency of route advertising can be detected as in 10). it does not forward the request.2. Detection of Attacks in DSR With the exception of the promiscuous listening in 9). an ALARM message is sent. 6) Manipulate flow metrics for the same reason. authentication. if the former is not possible due to asymmetric links. It may send that reply along the source router in reverse order or issue a ROUTE REQUEST including the route to get back to the source. 5. some events may be less important such that the effort to monitor and detect these particular events may be omitted. 5.00 © 2002 IEEE . send new request or do not forward at all. 4) Reply time too short: can be detected by comparing reply time to actual route length. If a receiving node is the destination. the better the route metrics (number of hops. can ‘salvage’ the route by bypassing the bad link. if a node cannot tell whether a route is real or bogus. to advertise a non-existent or wrong route.e. In general. also gratuitous. 5) Set good metrics of bogus routes for priority and remaining time in the cache. the source picks the best (by default the shortest). or has a route to the destination. i. keeping a copy of a packet until having confirmed correct forwarding by listening to the transmission of the next hop node. 5). 8) Use bogus routes to attract traffic to intercept packets and gather information. In this example. it will look like the source is still the original one. non-repudiation. Routes that contain a failed link. 2) Bogus routing information or traffic attraction: reply to ROUTE REQUEST. so the route will be prioritized and stay in the cache longer. integrity. If the salvage bit is not set. confidentiality. ROUTE REPLY messages) as explained in Section 5 takes place. 9) Use promiscuous mode to listen in on traffic destined for another node.3. 5. the higher the preference given to the route and the longer it will stay in the cache. ROUTE REPLY messages can be triggered by ROUTE REQUEST messages or gratuitous. 2). In more detail: Proceedings of the 10th Euromicro Workshop on Parallel. 6) Metrics of bogus routes too good: detectable by comparing metrics to actual quality. Grudging Nodes in DSR The suggested scheme works as an extension to a routing protocol. As a last resort. targeting availability. 10) Route updates too frequent: detectable by keeping timestamp of last update to compare. Figures 2 through 5 show the flow of messages and data from route discovery to the detection of malicious behavior and subsequent rerouting. the node that can not forward the packet to the next node sends an error message towards the source. Distributed and Network-based Processing (EUROMICRO-PDP’02) 1066-6192/02 $17. and sends messages along that path. Once non-cooperative behavior has been detected and exceeds threshold values. delay. all of the attacks listed above correspond to observable events the monitor component in each node can detect either at once or at the latest when they happen repeatedly: 1) Forwarding: this can be detected by passive acknowledgement. bandwidth or other criteria) and the sooner the REPLY arrived at the source (indication of a short path . 7) Lack of error messages: indicated in the case when a node receives a link error message from its own link layer but no explicit error message by other nodes in the range. Attacking DSR We found the following ways of attacking DSR. This works only until upper layers find out.themselves into the source route unless they have received the same request before. stores it.

node E would send the reply along a path to A that it has in its route cache. The increased security will come at the price of some overhead.B . st( E[ M A ]) o . Analysis Detailed simulations in GloMoSim [17] are under way. A.D. In this example. After the occurrence of the bad behavior of node D was observed by node C for a number exceeding a threshold. [E.B . Distributed and Network-based Processing (EUROMICRO-PDP’02) 1066-6192/02 $17. In this route request. in the presence of malicious nodes only the first few packets are dropped (according to the defined threshold plus the time it takes to react) in the fortified version of DSR. During the data flow.E ) B 3 )Da ta (A . node A. Data flow and alarm: A sends data and receives an ALARM from C that D does not forward. The reply message contains the reversed source route to the destination and is sent to the source.B . node A acknowledges the message to the reporting node C and decides to A uses an use the alternate path via node B to send the data to the destination node E. Route request: A wants to send to E. B]) (D[ A Ro u (E[ te Re A. node D does not forward the data destined for node E. but inherently the price of no communication at all due to malicious nodes is higher than any overhead by one extra message in the protocol. Route reply: both D and E know a path to E. node C triggers an ALARM message to be sent to the source.C A 1) 2 )Da ta (A. C D Figure 5. see [3] for a sketch of the simulation design and methodology. C. Ro ute Reply (A . or if generally the route can not be reversed. and from node D.(E[A]) Route Request B Route ues R eq ute Ro A.E) ar di ) . [E . which has a path to E.A]) E A . Preliminary results have shown that even if the DSR protocol is only fortified by reacting to forwarding defection. Figure 4.A]) D Figure 3.00 © 2002 IEEE . 5. Figure 3 shows the reply messages of the destination node itself.n (D fo rw C Route Request(E[A. In Figure 4 data flow is from node A to node E via node C and D. the already found path from A to E is included. If there is no path to A in the route cache. Proceedings of the 10th Euromicro Workshop on Parallel.C. E has to perform a route discovery itself to get to A. D .the ALARM message. C.C]) D Cache: E 2)Data(A. In this case.5.D. node A has chosen this route according to some metrics and preferred it over the route via B. node C detects that node D does not behave correctly. Figure 2 shows DSR route discovery for a path from node A to node E. B qu est ]) B R equ est(E [A.B . Upon reception of the ALARM message as shown in Figure 5.[ E. node E. whereas all of the packets are dropped using the normal defenseless DSR protocol. the exact amount of which is being investigated and simulated.A]) B A R ou te R ep ly ( Ro u te Re p ly (A . [E .B A ]) Ro 1) ut eR ( ta Da 3) eq E AL ue E t AR E) D. Act on alarm: reroute: alternate path to E.N ng C D Figure 2. In the case of unidirectional links.A AL ]) C Route Reply (A. For analytical evaluation we are investigating the use of Game Theory. Every node forwards the request to its neighbors unless it has already received the same route request or has a path cache entry for the desired destination.E ) E AR M ) (D AC K .

Depending on the extent to which the security issues are addressed. Oxford University Press. Canada. Resnick. The focus is on finding a sustainable relationship between the total number of nodes in the network. the number of malicious nodes that can be tolerated and the number of friends per node needed to achieve that. pages 963–967. Oakland. and M. John Wiley $ Sons. Boudec. Baker.6. [9] D. 1998. New ways of distributing trust can be implemented by introducing the notion of friends and making their cooperation pay off. J. alerting and reaction. mobile ad hoc networks do not rely on any infrastructure and central authorities. and J. As opposed to traditional networks. Friedman. [13] P. May 26-29. Alberta. Marti. 1976. Cornell Computer Science Technical Report 99-1776. February 1997. A. 2000. 2000.Next Steps The next steps will consist of implementing more of the approaches discussed so far in simulations for evaluation and performance analysis. IEEE Press. R. special care has to be taken to include security mechanisms for the increased requirements in this environment. S. [4] L.html. Security is a major challenge for mobile ad hoc networks. We are analyzing the scalability. The terminode project: Towards mobile ad hoc WANs. No. [14] B. Bagrodia. 1996. Kubitz. Giordano. The resurrecting duckling. 2000. Johnson and D. [18] P. Securing ad hoc networks. October 1999. [6] A. Zimmerman. Proceedings of the 10th Euromicro Workshop on Parallel. Lecture Notes in Computer Science. 1 edition.-Y. Communications of the ACM. and M. November/Dezember. GloMoSim: A library for parallel simulation of large-scale wireless networks. 1999. In Proceedings of Internet Society Symposium on Network and Distributed System Security. San Diego. Haas. Mitigating routing misbehavior in mobile ad hoc networks. because good citizenship can not be assumed in an open world. Kesdogan. 1995. R. L. 2000. Dawkins. [11] MANET. and M. R. K. Hubaux. B. J. Decentralized trust management. 2000. the cost/benefit ratio. Buttyan and J. [17] X. and fairness. [15] B. CA. Future Work . Kleinberg. and K. RR 3354. Anderson and F. Hamdi. Smith. Springer-Verlag. Atlanta. [12] S. [7] Z. Vol. Reputation systems. and J. 13. Observable attacks on forwarding and routing can be thwarted by the suggested scheme of In Proceedings of MOBICOM 2000. Enforcing service availability in mobile ad-hoc wans. Boudec. pages 255–265. Giuli.ietf. Maltz. [10] J. [2] M. for instance what happens to a node in a remote location. Buchegger and J. where anyone can join the network. L. Secrets and Lies. Stajano. Mobile Ad Hoc Network (MANET) Working Group. 1993. Murthy. Hubaux. special issue on networking security. Inc. The Selfish Gene. Fasbender. This paper identifies the special requirements of mobile ad hoc network security. S. Gerla. or how to deal with colluding nodes. 1999. Nodes learn not only from their own experience. http://www. Zeckhauser. Schneier. References [1] R. [3] S. pages 85–92.charters/manetcharter. people might be reluctant to use mobile ad hoc networks. Blaze. pages 24–30. they can be highly dynamic and mobile and operate over unreliable wireless media. The small-world phenomenon: An algorithmic perspective. Conclusions Mobile ad hoc networks exhibit new vulnerabilities to security attacks. Feigenbaum. Stallings. Internet Draft. In Proceedings of the 46th IEEE Vehicular Technology Conference. Kuwabara. CA. 1999.-P. In IEEE Network magazine. 43(12):45–48. We will look at further issues that have not been addressed in this paper. When designing protocols for mobile ad hoc networks. In Proceedings of IEEE Conference on Security and Privacy. 1999.00 © 2002 IEEE . D. E. Securing distance-vector routing protocols. 2 edition.-Y.-P. T. and O. Variable and scalable security: Protection of loccation information in mobile IP. The dynamic source routing protocol for mobile ad hoc networks. 6. and the goodput increase and overhead for achieving security as defined in this paper. but also from observing the neighborhood and from the experience of their friends. Proceedings of the 12th Workshop on Parallel and Distributed Simulations–PADS ’98. [8] J. Digital Security in a Networked World. 7. and it introduces a scheme to cope with them by retaliating for malicious behavior and warning affiliated nodes to avoid bad experiences. Lacy. [16] W. 2001. PGP user’s guide. Lai. [5] R. Garcia-Luna-Aceves. Other interesting issues include rumor spreading and transitive trust in a ‘small world’ [10] and how it could be used to locate friends. 1996. Network and Internetwork Security. Zeng. IETF. Distributed and Network-based Processing (EUROMICRO-PDP’02) 1066-6192/02 $17. In Proceedings of MOMUC’99 San Diego. robustness. 1989 edition. where friends might be far away. IBM Research Report: The Selfish Node: Increasing Routing Security in Mobile Ad Hoc Networks. in Banff. MobiHOC.